Certified info-sec pros get paid more

So the downturn is here. Tech professionals are sinking or swimming. If you're a security professional, getting certified may be an option. Getting the right certification could mean a larger paycheck, and many corporations would just kill to have a Certified Internet Systems Security Professional (CISSP) on board.

There are, of course, a myriad of other certifications available for security professionals, but few as notoriously prestigious as the CISSP. There are only about 5,000 professionals worldwide who have been so-certified.

The organization that hands out the certification, the International Information Systems Security Certification Consortium (ISC)², is a non-profit group dedicated to training and certifying info-sec (information security) professionals.

Started in 1989 by a group of US and Canadian firms to formulate a certification process for info-sec practitioners, the organization takes great pains to remain non-vendor-biased, said James Duffy, managing director and chief operating officer of the (ISC)².

Headquartered in Framingham, Massachusetts, with a European office in London, (ISC)² conducts CISSP training and exams throughout North America, Europe, Australia, New Zealand and Asia.

"Our whole message is the CISSP as a professional," said Duffy, summing up the organization's mission statement.

The certification is in high demand within the government and consultancy sectors, he claimed, who was formerly vice president, managing information security technology and communications at People's Bank, based in Connecticut.

The organization's clientele includes consulting firms PriceWaterhouseCoopers, KPMG, Ernst & Young, Deloitte & Touche, as well as multinationals such as Prudential, Exodus Communications.

The US Social Security Administration, Federal Aviation Administration and US Defense Department have also tied up with the consortium to provide training and have their info-sec professionals undergo the CISSP exam. Duffy claimed (ISC)² is also in talks with other government agencies from countries outside the US, including those in Asia.

With the seemingly enormous demand for CISSPs, it's no wonder that almost all of its graduates see an increase in earning power. In the US, a marked increase of 10 percent of the original salary is typically the minimum, or else a US$8,000 to US$10,000 increase in base salary, said Duffy.

Beyond the pay issue--which would vary from company to company--the certification distinguishes the professional as one with a working knowledge of information security, as well as one who has passed one of the most rigorous exams in the IT industry.

The current demand for CISSP training and certification in Asia is enormous, Duffy claimed.

"From Big Five consulting firms to multinational corporations and governments, security certification is becoming an increasingly important issue as the Asian economy continues to become more Internet-centric," he said.

While CISSP has experienced solid acceptance in Europe, its exposure in Asia has not been highlighted as much. However, that hasn't seemed to slow down the response.

Earlier this year, 204 registrants took the exam in Hong Kong, while 147 sat for it in Seoul, Korea. The largest sitting ever for the CISSP exam was about 300 in the US.

The large attendance for the exams in Asia surprised Duffy: "We haven't even worked hard at it yet."

"Asia is a significant region for (ISC)²," he affirmed. "We are currently scouting locations for an Asian headquarters and are seeking to forge partnerships with Asian businesses and governments."

Getting the certification isn't exactly a piece of cake though. The exam itself costs US$450, consists of 250 multiple-choice questions and lasts six hours. One prerequisite for eligibility is that the candidate has to have at least three years of direct work experience in the security field.

The exam tests a candidate on the 10 domains of the information systems security common body of knowledge (CBK)--considered essential to the CISSP.

The 10 domains include:

1. Security management practices
2. Access control systems & methodology
3. Law, investigations & ethics
4. Physical security
5. Business continuity & disaster recovery planning
6. Security architecture & models
7. Cryptography
8. Telecommunications & network security
9. Applications & systems development
10. Operations security

As can be seen from the topics, the fields are diverse and intentionally so. The purpose is to ensure that the security professional understands the interaction between all the different facets of information security. The exam itself tests for the ability to apply concepts and definitions and are non-specific with regard to systems or software.

The test questions are based on commonly-accepted security principles, each having at least one reference by an expert source, said Duffy.

The test aside, there's also the issue of retaining the certification.

(ISC)² does what it terms "continuing education" to ensure that CISSPs are constantly kept up-to-date in their field.

"Once an individual has successfully passed an (ISC)² credentialing examination, continuing education is required to maintain their certification in good standing," said the notice on the (ISC)² site.

According to Duffy, the professional has to obtain 120 hours of education in the info-sec field every three years or retake their certification examinations. Attending conferences, course completions, the publishing of journals, articles or books, and even providing security training can earn them credits. Volunteer work on (ISC)² volunteer committees also count as credits.

Members log in their credits on the (ISC)² Website, and are randomly audited by volunteers from within the consortium. So far, the consortium boasts a 95 percent retention rate.

All members are also called to adhere to the (ISC)² Code of Ethics. Violation of the Code is cause for revocation of certification, although Duffy assured that so far, no CISSP has had his certification taken away for such a breach.

However, there have been cases in which certification was revoked over falsified information. These involved candidates who had lied about the length of their working experience prior to taking the test. Such revocation also entails a permanent disbarment from the consortium, said Duffy.

But Duffy stressed that: "Our job is not to decertify."

"There are no trick questions (in the exam)," he pointed out. "What we do have are tough questions to defeat 'professional test-takers'."